Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Repository metadata signing in AL2023

Starting with release 2023.11.20260406, AL2023 repositories include cryptographic signatures for repository metadata. Each repository's repomd.xml file is accompanied by a detached GPG signature file (repomd.xml.asc) that you can use to verify the authenticity and integrity of the repository metadata before packages are downloaded.

This signing is in addition to the existing RPM package signing (gpgcheck), which verifies individual packages. Repository metadata signing verifies the metadata that describes the contents of the repository, such as the list of available packages and their checksums.

How repository metadata signing works

When AL2023 repositories are published, the repository metadata (repomd.xml) is signed using an Amazon KMS key. The resulting detached signature (repomd.xml.asc) is placed alongside the metadata in the repository.

When you enable repo_gpgcheck in your repository configuration, DNF automatically downloads and verifies the repomd.xml.asc signature against the GPG public key before using the repository metadata. If the signature verification fails, DNF rejects the repository metadata and does not proceed with package operations from that repository. For more information about repo_gpgcheck, see the DNF Configuration Reference.

The following AL2023 repositories include signed metadata:

Difference between gpgcheck and repo_gpgcheck

We strongly recommend that you enable both gpgcheck and repo_gpgcheck. This ensures that both the repository metadata and the individual packages are verified before use.

Enabling repository metadata verification

You can enable repository metadata verification for individual repositories by updating their configuration files.

Enable for a specific repository

The AL2023 repository configuration files in /etc/yum.repos.d/ set repo_gpgcheck=0 by default. To enable repository metadata verification, change this value to 1 in the repository configuration. For example, to enable it for the core repository:

[amazonlinux]
name=Amazon Linux 2023 repository
...
gpgcheck=1
repo_gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-linux-2023

Verifying that repository metadata signing is working

After enabling repo_gpgcheck=1, you can verify that metadata verification is working by clearing the DNF cache and refreshing the metadata:

[ec2-user ~]$ sudo dnf clean metadata
[ec2-user ~]$ sudo dnf makecache

If the metadata verification succeeds, DNF imports the GPG key (if not already imported) and creates the metadata cache without errors. You will see output similar to the following:

Amazon Linux 2023 repository                    1.7 MB/s | 1.8 kB     00:00
Importing GPG key 0xD832C631:
 Userid     : "Amazon Linux <amazon-linux@amazon.com>"
 Fingerprint: B21C 50FA 44A9 9720 EAA7 2F7F E951 904A D832 C631
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-linux-2023
Amazon Linux 2023 repository                      18 MB/s |  55 MB     00:03
Metadata cache created.

If the signature verification fails, DNF displays an error message indicating a GPG signature verification failure and metadata cache creation fails.

GPG public keys for AL2023 repositories

The GPG public keys used for repository metadata verification are installed by the corresponding repository configuration RPMs to /etc/pki/rpm-gpg/. The following table lists the public keys used by each repository.

These keys are automatically installed when you install the corresponding repository configuration RPM.